2.) The root CA certificate of the same CA who issued the server certificate for ACS. This root CA certificate has to/will be installed on all the LAN clients and on the ACS. This has to be done by the AD admin of your company or you can do it manually for every LAN client.
3.) A client certificate on all the LAN clients from your inhouse CA (preferable the same CA at step 1). This can be pushed through GPO by AD admins of your company. No manual effort required.
4.) Switch to be configured for authenticating the LAN users. Enable dot1x (802.1x). Here are the steps:
6.) ACS to be installed with the root CA certificate of the CA who issued the certificate to ACS. Additionally, install the root CA certificate of the CA who issued the certificate to the clients, (if it’s not the same CA.) Refer to this section of the document: